Latest DBatLoader Uses Driver Module to Disable AV/EDR Software
Overview
Threat actors are continuously evolving their malware code to protect them against security defenses. SonicWall Capture Labs threat research team has observed that the latest variant of DBatLoader has included an old version of RogueKiller Antirootkit Driver which is used by the malware to terminate security software. The malware majorly delivers Remcos RAT, but is also known for delivering other malware. The malware is received inside an archive as an email attachment and is highly obfuscated, containing multiple layers of encryption data.
First Layer
The malware starts its execution with a call to the OpenURL API and, based on the return value, the malware initializes a string value which is used in the obfuscation code. The malware is full of obfuscated code which pretends to be an API hooking code but does not hook any API. Sometimes the obfuscated code fails by calling a Unicode argument expecting API with an ASCII value and sometimes it just modifies the API address in its own memory array. The malware also contains multiple concatenation, copy and move instructions before calling the fake API hooking module. The malware contains a GIF image which contains an encrypted second layer executable.
Figure 1: Obfuscation code
Not a True Image Steganography
In old variants, it was observed that the malware kept a GIF image in the resource data, but in the latest variant, the GIF file is kept in the file itself to avoid detection from the security software. The GIF image contains an encrypted next-layer executable which is not hidden in the pixel’s data but is actually in the additional bytes in the GIF image and does not alter the image’s visuals. The malware reads the GIF image bytes and searches for the delimiter string “< <” (0x3C 0x20 0x3C), to get a total of nine chunks of bytes separated by the delimiter. The seventh chunk of bytes is the encrypted second-layer executable.
Figure 2: GIF Image
The decryption logic involves the addition of value 0x6B into the encrypted bytes to get the second layer executable.
Figure 3: Decryption logic in first layer executable
The malware allocates memory in the self process using the API ZwAllocateVirtualMemory to load the decrypted binary sections. The malware fixes the relocations, resolves imports and transfers control of the entry point of the second-layer executable.
Figure 4: Computes entrypoint
Second Layer
The malware starts by calling the timeSetEvent API to delay a callback function execution with 2710h milliseconds and additionally uses the argument constant TIME_ONESHOT for a one-time execution of the callback function which further continues the malicious execution. The malware checks the client’s internet status using the API InetIsOffline and, based on the return value, the malware initializes a string that is used in obfuscation code like the first layer executable.
The malware extracts the current executable name without the extension and appends “.png” to check its presence in the current directory. The checked PNG file is not available for the current variant, however, examining the code, the PNG file is expected to contain a list of URLs in plaintext. As the PNG file is not available, the malware reads the current executable file and searches for the “^^Nc” delimiter to retrieve the list of encrypted URLs and a key to decrypt URLs which is “202” in the current variants.
Figure 5: Delimiter to separate the URL list and key
The URL list is decrypted by adding the value 0x43 (202-0x10D) to the encrypted bytes. The decrypted URL list is separated by the delimiter “@^@”. The malware has structure to keep three URLs but in the current variant only one URL is available and other URLs are initialized with the values “Link2” and “Link3”.
Figure 6: First layer decryption used to decrypt URLs
The malware sequentially checks for an active URL using the API InternetCheckConnectionA from the decrypted list of URLs. Instead of using conventional APIs to download a file from a URL, the malware retrieved the COM library “winhttpcom.dll” CLSID for “WinHttp.WinHttpRequest.5.1” using the API CLSIDFromProgID and instantiates its object using the API CoCreateInstance.
Figure 7: COM library used for downloading data
Figure 8: URLs to download data
The malware now downloads data from the URL: “h[t][t]ps://nbtp1[.]sa[.]com/youtubedrivedocumentsuploadgoogledownloaduptowns/202_Pblednxqcpj” using APIs from the COM library “winhttpcom.dll”. It also checks for downloaded bytes size which should be more than 0x7530.
Figure 9: Downloaded encrypted data
Downloaded data contains multiple executable files associated with the malware along with configuration data and an additional malware payload executable which is Remcos RAT in the current variant. Before Base64 encoding, configuration data and other associated binary executables are two layers encrypted but the additional malware executable contains a total of five layers of encryption.
The first layer is decrypted using the same logic which was used to decrypt the list of URLs by adding 0x43 value into the encrypted data. The second layer decryption logic checks the encrypted byte if it is greater than 7F (0x21+0x5E) then the encrypted byte is added to 0x0E, divided by 0x5E and then added by 0x21 to get the decrypted byte:
Figure 10: Second layer decryption
The decrypted data is separated by the delimiter “*()%@5YT!@#G__T@#$%^&*()__#@$#57$#!@” which contains the following information:
- Decryption key for the additional malware
- File name used for persistence entry
- Encrypted additional malware (Remcos RAT)
- Configuration Data
- Old version of Exchange ActiveSync Invoker (easinvoker.exe) vulnerable to DLL hijacking
- Malicious netutils.dll for privileged execution
- Old version of RogueKiller Antirootkit Driver (truesight.sys) to terminate security software
Figure 11: Downloaded decrypted data
Persistence
The malware drops a self-copy into “C:\Users\Public\Libraries\Pblednxq.PIF” and creates a Windows Shortcut File (LNK) file “C:\Users\Public\Pblednxq.url” which tries to execute the dropped self-copy of the malware.
Figure 12: Windows shortcut file
The malware creates the registry entry “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\Run\Pblednxq” for the current user and sets the value to the dropped LNK file path:
Figure 13: Persistence entry
Privilege Escalation
The malware drops easinvoker.exe, netutils.dll and truesignt.sys from the downloaded data into the directory “C:\Users\Public\Libraries”. The old version of Exchange ActiveSync Invoker (easinvoker.exe) is vulnerable to relative path DLL hijacking which loads malicious netutils.dll from the current directory on execution. The old version of RogueKiller Antirootkit Driver (truesight.sys) is a kernel driver file that terminates protected processes associated with the provided process ID. The malware also drops two batch files PblednxqO.bat and KDECO.bat into “C:\Users\Public\Libraries” and executes “PblednxqO.bat” using the API WinExec.
Figure 14: Obfuscated PblednxqO.bat
After de-obfuscating the batch file “PblednxqO.bat”, it becomes legible. The batch script creates the directory “C:\Windows ” which contains additional space to take advantage of mocking a trusted directory method for privilege escalation. The malware copies the files easinvoker.exe, netutils.dll and KDECO.bat from the directory “C:\Users\Public\Libraries” to directory “C:\Windows \System32” and starts privileged mode execution for the easinvoker.exe process.
Figure 15: Simplified PblednxqO.bat
The malware now deletes used files that are no longer needed from the “C:\Users\Public\Libraries” and “C:\Windows \System32” directories, leaving files that are being used for persistence and further execution.
Figure 16: Deleting used files
The batch script has already executed the easinvoker.exe process and the malware also executes the easinvoker.exe using the API WinExec as a backup plan which loads malicious netutils.dll.
Figure 17: Starts easinvoker.exe
EDR Evasion
DLLMain function in “netutils.dll” contains a fake API hooking obfuscation which invokes the API LoadLibraryW using the filename “Amsi” as an ASCII string. The LoadLibraryW API expects the Unicode string as an argument and is provided with an ASCII string which causes failure of the API. The code intended for API hooking is never executed.
Figure 18: Fake API hooking obfuscation
The malware executes “C:\Windows \System32\KDECO.bat” using the API WinExec which is obfuscated similarly as “PblednxqO.bat”.
Figure 19: Executes KDECO.bat
After obfuscating, the batch script becomes legible. The batch script executes a PowerShell cmdlet to exclude the directory “C:\Users” from Windows Defender’s scanning. The batch script also registers and starts “C:\Users\Public\Libraries\truesight.sys” as a kernel mode driver.
Figure 20: Simplified KDECO.bat
The malware contains list of 49 security software processes which are checked against the running processes to retrieve the process ID.
Figure 21: 49 security processes
The retrieved process ID is sent to the driver component which terminates the associated running process.
Figure 22: Sends process ID to the kernel driver
TrueSight RogueKiller Antirootkit Driver
The driver component truesight.sys file with version 3.3.0 used by the malware belongs to RogueKiller AntiMalware software by Adlice Software. The kernel driver terminates protected processes associated with the process ID sent by the netutils.dll binary. Truesight.sys version 3.4 is fixed to avoid killing protected processes.
Process Injection
Even after two layers of decryption for the downloaded data, the Remcos RAT payload executable is still encrypted. For the next layer of decryption, the malware retrieves key bytes from the downloaded data. The decryption involves XOR operations with encrypted byte, encrypted bytes size, key byte and key bytes size to get the next level of decrypted bytes which are then reversed. The reversed bytes are decrypted using the same decryption logic, which was used to decrypt the downloaded data to finally get the Remcos RAT executable.
Figure 23: third layer decryption used to decrypt payload
The malware has a list of file names to inject the final payload executable. The malware selects one file from the list and checks its presence in “c:\windows\system32” to start the process. If the file is not found, then the malware has a backup file name “iexpress.exe” to start as a process.
- SndVol.exe
- colorcpl.exe
- wusa.exe
Figure 24: List of processes to inject payload
The malware starts the process “C:\Windows\System32\colorcpl.exe” for the current execution and enumerates the running processes using APIs CreateToolhelp32Snapshot, Process32First and Process32Next to get the handle for the process name “colorcpl.exe”.
Figure 25: Executes colorcpl.exe
Figure 26: Enumerates running processes to get colorcpl.exe
The malware loads the decrypted Remcos RAT executable into the memory and writes the memory into “colorcpl.exe” using the API NtWriteVirtualMemory. It then starts a thread at the entry point using the API RtlCreateUserThread.
Figure 27: Write process memory
Figure 28: Starts thread in injected process
